forked from menandmice-services/dns-monitoring-scripts
-
Notifications
You must be signed in to change notification settings - Fork 0
/
test12.sh
executable file
·46 lines (37 loc) · 1.32 KB
/
test12.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
#!/bin/sh
# Test 12 - RRSIG validity: check for the lifetime timestamps of
# RRSIGs in the zone. This test should be done for every important
# RRset in the zone (SOA, DNSKEY, MX, A/AAAA)
echo " == #12 - RRSIG validity == "
if [ "$1" = "" ]; then
echo "This test fails without param. Exiting..."
exit 1
fi
today=$(date "+%Y%m%d%H%M%S")
inception=$(dig ${1} soa +cd +dnssec | egrep "RRSIG.*SOA" | cut -d " " -f 6)
expiry=$(dig ${1} soa +cd +dnssec | egrep "RRSIG.*SOA" | cut -d " " -f 5)
echo "Today : ${today}"
echo "Inception: ${inception}"
echo "Expiry : ${expiry}"
if [ "${inception}" -gt "${today}" ]
then
echo "ERROR: RRSIG validity (${inception}) is in the future"
fi
if [ "${expiry}" -lt "${today}" ]
then
echo "ERROR: RRSIG validity (${expiry}) is in the past, DNSSEC signature has expired"
fi
twodaysahead=$(date +%s)
twodaysahead=$((${twodaysahead}+172800))
twodaysahead=$(date -u --date="@${twodaysahead}" "+%Y%m%d%H%M%S")
if [ "${expiry}" -lt "${twodaysahead}" ]
then
echo "ERROR: RRSIG validity (${expiry}) will end in less than two days"
fi
fivedaysahead=$(date +%s)
fivedaysahead=$((${fivedaysahead}+432000))
fivedaysahead=$(date -u --date="@${fivedaysahead}" "+%Y%m%d%H%M%S")
if [ "${expiry}" -lt "${fivedaysahead}" ]
then
echo "WARNING: RRSIG validity (${expiry}) will end in less than five days"
fi